Critical severity9.8NVD Advisory· Published Jul 11, 2024· Updated Apr 8, 2026

CVE-2024-6624

Description

The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.9.3. This is due to improper controls on custom user meta fields. This makes it possible for unauthenticated attackers to register as administrators on the site. The plugin requires the JSON API plugin to also be installed.

Affected products

Parorrey/Json Api User
cpe:2.3:a:parorrey:json_api_user:*:*:*:*:*:wordpress:*:*
Range: <3.9.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changeset/3115185/nvdPatch
www.wordfence.com/threat-intel/vulnerabilities/id/a4a26f60-5912-4d4a-8ef8-e4357c1fb1ffnvdThird Party Advisory
plugins.trac.wordpress.org/browser/json-api-user/trunk/controllers/User.phpnvdProduct
plugins.trac.wordpress.org/browser/json-api-user/trunk/controllers/User.phpnvdProduct

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.035
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000